CFIUS Finalizes Regulations to Increase Penalties, Expand Subpoena Authority, and Enhance Enforcement Authorities to Protect National Security

CFIUS Finalizes Regulations to Increase Penalties, Expand Subpoena Authority, and Enhance Enforcement Authorities to Protect National Security

On Monday, November 18, 2024, the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”) announced that it had finalized the regulatory changes previewed in April that will enhance certain CFIUS procedures and sharpen its penalty and enforcement authorities.[1]  The changes go into effect on December 26, 2024 and as described in more detail below: (a) expand the types of information that CFIUS can require transaction parties and other persons (i.e., third-parties) submit when engaging with them on transactions that were not filed with CFIUS; (b) broaden the instances in which CFIUS may use its subpoena authority, including when seeking to obtain information from third persons not party to a transaction notified to CFIUS and in connection with assessing national security risk associated with non-notified transactions; and (c) substantially increase monetary penalties for violations of CFIUS regulations from a maximum of U.S. $250,000 to U.S. $5 million per violation, or the value of the transaction, whichever is greater.

When announcing the final text of the revised regulations, CFIUS noted that these changes are the “first substantive update to the monitoring and enforcement provisions of the CFIUS regulations”[2] since the enactment of the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), which amended CFIUS’s governing statute and significantly overhauled the CFIUS process to introduce key features such as mandatory filings for certain transactions, authority to review specific minority investments, and filing fees for notices.

Summary of Changes Effective on December 26, 2024:

1. Expanding the types of information CFIUS can require transaction parties and other persons to submit when engaging with them on transactions that were not filed with CFIUS;

At Present: Authority to request from the parties to a non-notified transaction information necessary to determine whether the transaction is a “covered transaction” (i.e., if CFIUS has jurisdiction).

On or after December 26, 2024: Expanded authority to request information not just from transaction parties but also “other parties” (i.e., third-parties), as well as expanded authority to request additional types of information to determine if a transaction triggers the mandatory filing requirement or raises national security concerns beyond just jurisdictional inquiries.

2. Allowing the CFIUS Staff Chairperson to set, as appropriate, a timeline for transaction parties to respond to risk mitigation proposals for matters under active review to assist CFIUS in concluding its reviews and investigations within the time frame required by statute;

At Present: No requirement for the parties to respond to risk mitigation proposals from CFIUS within a specific time frame, and no explicit authority for CFIUS to impose any deadlines with respect to responses to proposed mitigation terms.

On or after December 26, 2024: CFIUS may, in its discretion, impose a 3-business day deadline for the parties to respond to proposed mitigation proposals (for initial and subsequent drafts).  If CFIUS does impose a response deadline, and the parties fail to respond in the specified time frame, CFIUS can reject the notice entirely.  CFIUS can also implement interim or final national security measures on pending transactions (for example, CFIUS rejects a notice because the parties do not respond to mitigation proposals in a timely fashion, but because of the national security concerns identified, CFIUS imposes interim restrictive measures preventing the parties from closing because CFIUS was not able to finish its review). 

3. Expanding the circumstances in which a civil monetary penalty may be imposed due to a party’s material misstatement and omission, including when the material misstatement or omission occurs outside a review or investigation of a transaction and when it occurs in the context of CFIUS’s monitoring and compliance functions;

At Present: Currently, the regulations provide for penalties to be imposed in the following situations: (a) submitting a declaration or notice with a material misstatement or omission, or making a false certification; (b) failing to submit a timely declaration or notice in the certain circumstances in which submission is mandatory; and (c) violating a material provision of a mitigation agreement, material condition imposed, or order issued.

On or after December 26, 2024: Effective December 26, 2024, CFIUS penalties also would apply to material misstatements or omissions in contexts outside of declarations and notices—in particular, responses to the Committee's requests for information related to non-notified transactions, certain responses to the Committee's requests for information related to monitoring or enforcing compliance, and other responses to the Committee's requests for information, such as for agency notices. 

4. Substantially increasing the maximum civil monetary penalty available for violations of obligations under the CFIUS statute and regulations, as well as agreements, orders, and conditions authorized by the statute and regulations, and introducing a new method for determining the maximum possible penalty for a breach of a mitigation agreement, condition, or order imposed;

At Present: The current penalty amount for making a material misstatement or omission in a notice or a declaration, or submitting a false certification with respect to a notice or declaration is a maximum of U.S. $250,000 per violation.  The penalty for failing to submit a notice or a declaration when mandatory, or non-compliance with material provisions of mitigation agreements, orders, or material conditions imposed by CFIUS, is the greater of U.S. $250,000 or the value of the transaction, per violation.

On or after December 26, 2024: The penalties for material misstatements or omissions, and false certifications, will increase to a maximum of U.S. $5 million per violation.  Similarly, the penalty for failing to file a declaration or notice when mandatory will also increase to U.S. $5 million, or the value of the transaction, whichever is greater, per violation.  Moreover, CFIUS can also impose a maximum penalty of U.S. $5 million per violation for material misstatements or omissions in responses to the Committee's requests for information related to non-notified transactions or otherwise.

With respect to non-compliance with CFIUS mitigation agreements, material conditions or orders, , these penalties will also increase to be the greatest, per violation, of (i) U.S. $5 million (ii) the value of the violating party's interest in the U.S. business (or covered real estate) at the time of the transaction, (iii) the value of the violating party's interest in the U.S. business (or covered real estate) at the time of the violation or the most proximate time to the violation for which assessing such value is practicable, or (iv) the value of the transaction. 

The new rules will apply to any mitigation agreements or orders entered into after December 26, 2024.  For mitigation agreements or orders issued on or after October 11, 2018 but before December 26, 2024, the maximum penalty will remain U.S. $250,000 or the value of the transaction, whichever is greater per violation.  However, for any mitigation agreements or orders issued between December 22, 2008 and October 11, 2018, only if the relevant parties commit a violation intentionally or through gross negligence could they be subject to a maximum penalty of U.S. $250,000 or the value of the transaction, whichever is greater.  For all violations after October 11, 2018, while the penalty amounts will vary, depending on whether the conduct occurred before or after December 26, 2024, there is no intentionality or gross negligence qualifier that would limit the scope of liability.

5. Expanding the instances in which CFIUS may use its subpoena authority, including in connection with assessing national security risk associated with non-notified transactions; and

At Present: If deemed “necessary”, CFIUS currently has the authority to compel a response from the transaction parties via a subpoena regarding submitted notices or declarations, or with respect to non-notified transactions for CFIUS to determine whether it has jurisdiction. 

On or after December 26, 2024: The standard for issuing a subpoena will change from “necessary” to whenever CFIUS deems it “appropriate”, which is a lower threshold and grants CFIUS more flexibility in its ability to press for a response.  Further, the circumstances under which CFIUS can exercise its subpoena authority will expand from pertaining just to jurisdictional issues or with respect to already submitted filings, to information requests for third parties and information needed for the purposes of monitoring compliance with CFIUS agreements or orders.

6. Extending the time frame for submission of a petition for reconsideration of a penalty to CFIUS and the number of days for CFIUS to respond to such a petition.

At Present: Under current regulations, upon receiving notice of a penalty to be imposed, the subject person may submit a petition within 15 business days of receipt of such notice, subject to an extension through written agreement with the Committee. Similarly, the Committee has 15 business days to assess the petition and issue a final penalty determination.

On or after December 26, 2024: Both time frames will extend to 20 business days, and CFIUS can grant an extension based on “compelling circumstances.”

Key Takeaways

• CFIUS remains focused on identifying non-notified transactions that may pose a risk to national security, so parties to a transaction where the buyer or minority investor is a foreign person, as well as third-party advisors and consultants, can expect an increase in requests for information from CFIUS.
• CFIUS has doubled the size of its monitoring team and thus will continue to vigorously enforce mitigation agreements, conditions or orders.[3] The increased penalties for violations of these agreements reflects how seriously CFIUS expects parties to take their obligations under any agreement or arrangement with CFIUS.
• In the last year, CFIUS has for the first time utilized its subpoena authority “in support of its national security mission,”[4] so in addition to increased requests for information, we can also expect CFIUS to rely on its expanded subpoena authority to elicit timely responses from parties to the transaction and relevant third-parties.